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Abstract 

Bit>vector  theories  with  concatenation  and  extraction  have 
been  shown  to  be  useful  and  important  for  hardware  veri¬ 
fication.  We  have  implemented  an  extended  theory  which 
includes  arithmetic.  Although  deciding  equality  in  such  a 
theory  is  NP-hard,  our  implementation  is  efficient  for  many 
practical  examples.  We  believe  this  to  be  the  first  such  im¬ 
plementation  which  is  efficient,  automatic,  and  complete. 

1  Introduction 

As  designs  grow  in  complexity,  design  verification  becomes 
increasingly  important  and  challenging.  New  and  better  ver¬ 
ification  techniques  are  critical  to  ensure  correctness,  main- 
tsdn  design  cycle  times,  and  protect  designers  from  economic 
losses  due  to  undiscovered  bugs.  Formal  methods  for  verifi¬ 
cation  are  especially  attractive  because  they  have  the  poten¬ 
tial  to  cover  most  or  all  of  the  behaviors  in  a  design  without 
having  to  exhaustively  simulate  it. 

The  Stanford  Validity  Checker  (SVC)  [2,  9]  is  an  auto¬ 
matic  verification  tool  which  has  been  in  development  for 
several  years  at  Stanford  University.  The  input  to  SVC  is 
a  Boolean  formula  in  a  quantifier-free  subset  of  first-order 
logic.  It  may  also  contain  Boolean  operators,  uninterpreted 
functions,  and  various  interpreted  functions  such  as  opera¬ 
tions  on  infinite  arrays  and  arithmetic.  We  have  found  these 
constructs  to  be  useful  for  modeling  hardware  designs.  Us¬ 
ing  a  combination  of  case-splitting  and  cooperating  decision 
procedures,  SVC  determines  whether  a  formula  is  valid  (i.e. 
equivalent  to  true  in  every  possible  interpretation).  If  the 
formula  is  not  valid,  SVC  returns  a  counterexample.  SVC 
is  used  as  the  final  step  in  the  automatic  hardware  verifi¬ 
cation  paradigm  of  Burch  cind  Dill  [4].  In  their  approach  a 
specification  and  an  implementation  are  each  symbolically 
simulated  and  the  resulting  states  are  then  compared  to  see 
if  they  are  equivalent.  This  method  has  been  shown  to  be 
successful  for  verification  of  actual  designs  and  is  currently 
being  applied  to  the  TORCH  microprocessor,  an  aggressive 
superscalar  microprocessor  developed  for  educational  and 
research  purposes  at  Stanford  University  [11].  The  powerful 
and  efficient  decision  procedures  in  SVC  are  critical  for  the 
success  of  this  effort. 

Other  formal  methods  such  as  theorem  proving  and  mo¬ 
del  checking  have  been  used  extensively,  but  theorem  provers 
suffer  from  a  lack  of  automation  and  model  checking  from 
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the  inability  to  handle  large  designs  due  to  state  explosion. 
SVC  attempts  to  take  the  best  (and  avoid  the  worst)  of 
both  worlds.  First  of  all,  SVC  is  able  to  reason  at  an  ab¬ 
stract  level  and  has  built-in  decision  procedures  much  like  a 
theorem  prover.  However,  the  logic  of  SVC  is  restricted  to 
be  decidable,  which  enables  it  to  prove  or  disprove  all  for¬ 
mulas  automatically.  Secondly,  SVC  uses  a  directed  axiyclic 
graph  (DAG)  structure  much  like  that  used  for  binary  de¬ 
cision  diagrams  (BDDs)  in  model  checkers.  However,  SVC 
does  not  require  the  DAG  to  be  canonical.  As  a  result,  SVC 
is  more  robust  and  can  handle  formulas  that  would  blow  up 
if  represented  with  BDDs.  Such  formulas  may  still  take  a 
very  long  time  to  verify,  but  various  heuristics  can  be  ap- 
pli^  to  speed  up  the  verification  without  fear  of  a  sudden 
failure  due  to  BDD  explosion. 

As  mentioned,  a  nice  feature  of  theorem  provers  is  their 
support  for  abstraction.  A  primary  goal  of  SVC  is  to  make 
abstraction  easier  by  providing  uninterpreted  functions  and 
various  interpreted  theories.  Most  recently,  we  have  com¬ 
pleted  a  decision  procedure  for  a  theory  of  bit-vectors  in 
SVC.  Bit- vectors  (also  called  “words”)  are  a  critical  abstrac¬ 
tion  for  reasoning  about  hardware  structures.  Intuitively,  a 
bit-vector  is  a  fixed-length  string  of  individual  bits,  and  op¬ 
erations  on  bit-vectors  can  be  described  in  terms  of  their 
effect  on  each  bit.  Alternatively,  these  operations  can  be 
viewed  as  transformations  on  bit-vectors  as  a  whole.  The 
advantage  of  the  latter  approach  is  that  a  property  which 
may  be  complex  and  difficult  at  the  bit-level  (such  as  addi¬ 
tion)  can  be  expressed  easily  as  an  operation  on  bit-vectors. 
It  is  especially  desirable  to  be  able  to  reason  about  concate¬ 
nation,  extraction,  bit-wise  Boolean  operations,  and  arith¬ 
metic,  since  these  correspond  to  hardware  structures. 

As  we  describe  in  the  next  section,  deciding  equality 
of  arbitrary  combinations  of  these  operations  is  NP-hard. 
In  spite  of  this  fact,  we  have  developed  an  automatic  al¬ 
gorithm  for  reasoning  about  fixed-size  bit-vector  addition, 
negation,  concatenation,  and  extraction  which  avoids  expo¬ 
nential  blow-up  on  many  practical  examples.^ 

As  mentioned  above,  the  approach  taken  in  SVC  dif¬ 
fers  from  that  of  both  theorem  provers  and  model  check¬ 
ers.  However,  there  is  closely  related  work  in  both  areas. 
Recently,  successful  methods  for  reasoning  about  bit-vector 
operations  in  a  model-checking  paradigm  have  used  Binary 
Moment  Diagrams  (*BMDs)  [1,  3].  These  have  been  able 
to  automatically  verify  large  arithmetic  circuits.  The  set  of 
problems  solvable  using  *BMDs  is  comparable  to  those  solv¬ 
able  by  SVC^s  bit- vector  canonizer  and  a  comparison  of  the 
two  is  presented  in  Section  5  below. 

Bit-vector  libraries  have  also  been  developed  for  many 
theorem  provers  including  Boyer-Moore  [8],  SDVS  [10],  HOL 
[13]  and  PVS  [6].  All  of  these  libraries  implement  the  ba¬ 
sic  operations  of  concatenation  and  extraction,  but  none  of 
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*tnl 

A  bit- vector  of  size  n.  We  will  sometimes  omit  the  subscript  if  it  is  obvious  from  the  context. 

val(„! 

A  constant  bit-vector  which  is  the  binary  representation  of  the  decimal  value  val.  If  n  is  larger  than  is 
required  to  represent  val,  then  the  upper  bits  are  assumed  to  be  0.  If  n  is  omitted,  it  is  assumed  to  be 
the  smallest  value  required  to  represent  val.  We  only  use  values  which  are  positive,  except  in  the  case 
of  (— l)[n]  which  we  use  to  represent  the  vector  of  size  n  contadning  all  I’s  (i.e.  having  value  2”  —  1). 

:  J] 

The  extraction  of  bits  i  through  j  of  x.  We  require  0  <  j  <i  <n.  We  write  x[i]  as  an  abbreviation 
when  i  =  j. 

The  concatenation  of  x  and  y  to  yield  a  new  bit-vector  of  size  m  +  n. 

NOT  X[„i 

The  bit-vector  whose  bits  are  the  negation  of  the  bits  of  x. 

®tm]  +[*]  y[n) 

Addition  of  X[^]  and  y[n]  modulo  2*.  If  A;  is  omitted,  we  assume  it  is  equal  to  the  larger  of  m  and  n. 

Also,  if  m  is  less  than  k,  then  x  is  implicitly  zero-extended  to  size  k,  whereas  if  A;  <  m,  the  intended 
meaning  is  that  only  the  lowest  k  bits  of  x  are  to  be  used  (and  similarly  for  n  and  y).  Because  modular 
addition  is  associative,  it  is  unnecessary  to  use  parentheses  when  referring  to  more  than  two  operands. 

lESSIBS^I 

True  if  and  only  if  m  =  n  and  corresponding  bits  of  x  and  y  are  equal. 

Table  1:  Bit- vector  Theory  and  Definitions 


them  provide  a  complete  and  automatic  implementation  of 
bit-vector  arithmetic.  Probably  the  most  closely  related 
work  is  that  of  Cyrluk  et  al.  in  PVS.  A  comparison  of  of 
their  work  with  SVC  is  included  in  Section  4  below. 

The  rest  of  the  paper  is  organized  as  follows.  Section 

2  describes  some  notation  and  complexity  results.  Section 

3  explains  in  some  detail  the  theory  behind  the  SVC  im¬ 
plementation  and  contains  the  main  contributions  of  the 
paper.  Section  4,  as  mentioned,  contains  a  comparison  of 
our  method  with  that  presented  in  [6],  and  Section  5  gives 
experimental  results  obtained  using  SVC  on  microprocessor 
verification  examples.  Finally,  Section  6  gives  some  conclu¬ 
sions  and  directions  for  future  work. 

2  Complexity  of  Bit- Vector  Logics 

In  contrast  to  those  approaches  which  convert  bit-vectors 
into  natural  numbers,  our  approach  is  to  remain  in  the  bit- 
vector  domain;  all  operations,  therefore,  take  bit- vectors  as 
arguments  and  return  bit- vectors  as  results.  Table  1  lists  the 
elements  that  make  up  our  theory  of  bit- vectors.  Note  that 
we  refer  to  the  bits  in  a  bit-vector  of  size  n  by  index,  with 
the  least  significant  (right-most)  bit  being  indexed  with  0 
and  the  most  significant  bit  being  indexed  with  n  —  1. 

In  order  to  evaluate  our  decision  procedure  it  is  neces¬ 
sary  to  answer  the  question  of  whether  there  exists  a  simple 
algorithm  for  deciding  expressions  in  this  bit-vector  theory. 
Some  complexity  results  are  given  in  [6].  It  is  shown  that 
equality  of  terms  under  the  core  theory  of  fixed-size  bit- 
vectors  with  concatenation  and  extraction  is  decidable  in 
polynomial  time.  A  subsequent  extension  to  include  bit- 
vector  Boolean  operations  such  as  AND,  OR  and  NOT, 
however,  can  easily  be  shown  to  produce  a  theory  in  which 
deciding  equality  is  NP-hard  as  follows.  Consider  an  arbi¬ 
trary  instemce  of  the  Boolean  satisfiability  problem  which 
is  a  well-known  NP-complete  problem.  A  general  Boolean 
proposition  can  be  encoded  using  1-bit  bit-vectors  and  the 
Boolean  operators.  Call  this  encoding  P.  Then  the  satis¬ 
fiability  problem  can  be  solved  by  checking  the  validity  of 
P  =  FAIjSE.  If  valid,  the  formula  is  unsatisfiable,  other¬ 
wise  it  is  satisfiable. 

Alternatively,  consider  extending  the  core  theory  by  in¬ 
cluding  arithmetic  operations.  Unfortunately,  even  the  most 
trivial  extension  can  quickly  be  seen  to  be  NP-hard.  Allow¬ 
ing  only  the  additional  operation  of  adding  one  to  any  bit- 
vector  immediately  gives  us  the  ability  to  express  arbitrary 


propositional  logic  statements  since 

X[i]  -hi  =  NOT  X[i]  and 

{x[i]  o  y{i]  +{3]  1)[2]  =  X[i]  AND  y^i]. 

The  same  reduction  as  above  shows  that  deciding  equality 
in  this  simple  extended  theory  is  NP-hard.  This  gives  some 
insight  into  the  difficulty  of  handling  bit-vector  arithmetic 
automatically. 

Finally,  one  additional  complication  when  dealing  with 
bit- vectors  is  that  there  are  some  bit- vector  formulas  which 
are  valid  only  because  each  bit-vector  variable  has  a  finite 
number  of  possible  values.  For  example, 

0[1)  =  6(1]  V  6[1]  =  C[1]  V  0(1)  =  C[1]. 

In  order  to  correctly  handle  these  formulas,  we  must  manu¬ 
ally  force  SVC  to  consider  all  possible  values  for  each  vari¬ 
able.  Fortunately,  the  examples  we  have  encountered  in 
practice  do  not  have  this  property. 

3  Our  Approach 

As  described  in  [2],  SVC  uses  a  framework  for  cooperat¬ 
ing  decision  procedures  very  much  like  that  developed  by 
Shostak  [5]  and  used  in  PVS.  One  of  the  requirements  of 
this  framework  is  that  semantically  equivalent  terms  should 
have  a  unique  representation,  which  we  refer  to  as  a  canon¬ 
ical  form.  We  call  the  process  of  transforming  terms  into 
their  canonical  form  canonizing  and  we  call  the  algorithm 
which  does  it  a  canonizer.  In  SVC,  not  all  terms  need  to 
be  canonized.  Only  terms  which  do  not  contain  Boolean 
subexpressions,  which  we  call  atomic,  must  be  maintained 
in  canonical  form.  This  policy  is  acceptable  because  non- 
atomic  expressions  contain  at  least  one  term  which  SVC  can 
use  to  perform  a  case-split.  Since  SVC  exhausts  all  possible 
case-splits  before  reporting  a  counterexample,  it  is  impossi¬ 
ble  for  a  fedse  negative  to  result.  As  we  will  see  below,  the 
flexibility  of  not  having  to  canonize  non-atomic  expressions 
can  be  exploited  to  delay  canonization  of  complicated  ex¬ 
pressions  until  absolutely  necessary.  Our  fi-amework  further 
requires  that  atomic  equations  be  written  in  a  specific  form 
in  which  the  left-hand  side  contains  a  single  variable  and  the 
right-hand  side  containes  the  rest  of  the  terms.  We  call  the 
algorithm  to  do  this  a  solver.  Every  time  a  new  theory  is 
added  to  SVC,  a  canonizer  and  solver  for  that  theory  must 
be  provided.  The  canonizer  and  solver  for  bit-vectors  in 


2”  ’  Oi[m]  +[m+nl  fl[n] 

(2) 

not  a[„, 

(-l)rml  •  arm!  +rm1  (-l)lml 

(3) 

:  j] 

Additionally,  the  following  equation  is  added  to  the  current  knowledge  database  : 

'^[m]  “  2^  ^  *  X[yr(..t— 1]  2'^  •  H"[ml  ^\j] 

where  x,  y,  and  z  are  new  variables.  Ift  =  m  —  lorj  =  0  then  the  appropriate 
terms  are  omitted. 

(4) 

(®o  +[m]  •  •  •  a:,)[t :  0] 

xo  +[f-f  1]  Xs 

_ 

(5) 

(*0  +[m]  •  •  •  *.)[»  :  j] 

a:o[*o  :  j]  +[<-i+i]  •  •  •  *.[».  :  j]  +li-i+i) 

OVF(i,j)(®oL/  —  1 :  0] . . .  ar*L;  —  1 :  0]) 

HI 

(6) 

a  -l-M  (xo  +[,]  x,) 

a  Xo  -\-\i]  Xs  . 

if  j  >i 

El 

if  i  <  t 

(8) 

OVF[^.j](ao . .  .ajfe) 

OVF(,-.j](ao,(ai  +[j|  •••  a*))  +[<_i+i]  OVF«:,i(ai  . .  .«*) 

if  fc  >  1 

(9) 

(0([,7i] ,  ^[n]) 

a[fn  -  1  :  j]  +(i-j+i]  /3[n  -  1  :  i]  +[<-j+il 

OVF,^:i,(ab- -  1  :  0],/9l;  -  1  :  0]) 

if  i  >  i 

(10) 

OVF(„_i,„_i](ite(Qi[n  -  1]  =  /3[n  -  1]  ,  a[n  -  1]  o  0(„_2)  ,  a[n  -  2  :  0]), 
ite(a[n  -  1]  =  ^[n  -  1]  ,  y3[n  -  1]  o  0[„_2]  ,  /3[n  -  2  :  0])) 

if  n  >  1 

OVF[„.„](ai„j,/3(„]) 

ite(a  =  0  ,  a  ,  0[i]) 

if  n  =  1 

Table  2:  Rules  for  eliminating  concatenation,  negation,  and  extraction,  flattening  addition,  and  converting  OVF  terms  to 
non-atomic  expressions.  Note  that  a  and  I3  are  arbitrary  expressions  and  ik  =  min(i,nfc)  where  n/t  is  the  size  of  x*. 


SVC  are  based  on  properties  of  hardware  arithmetic.  They 
constitute  the  major  contribution  of  this  paper  and  are  de¬ 
scribed  in  the  next  two  subsections. 

3.1  Canonizer 

Coming  up  with  a  canonical  form  for  bit-vector  expressions 
is  complicated  by  the  inclusion  of  bit- vector  arithmetic.  This 
is  because  the  same  expression  may  be  represented  in  non- 
trivially  different  ways.  For  example,  (x[,i]  aJ[n])  is 

equivalent  to  (x[n]  o  Om]).  Similarly,  (x(i]  -f[i]  l[i])  is 
equivalent  to  (NOT  X[i]). 

To  avoid  such  redundancy,  we  translate  all  bit- vector  ex¬ 
pressions  into  a  specific  kind  of  arithmetic  expression:  the 
addition  (modulo  2^  for  some  fixed  bit- width  n)  of  bit- vector 
variables  with  constant  coefficients.  We  call  these  bitplus  ex¬ 
pressions.  In  order  to  ensure  a  unique  representation,  vari¬ 
ables  are  ordered  with  duplicates  eliminated,  and  each  co¬ 
efficient  is  reduced  modulo  2^.  A  set  of  transformations 
for  converting  bit-vector  operations  into  bitplus  expressions 
is  shown  in  Table  2.  Some  of  these  rules  make  use  of  the 
OVF  operator,  which  we  define  and  explain  below.  The 
first  two  rules  are  simple  transformations  for  dealing  with 
concatenation  and  negation.  Rule  (3)  shows  how  to  elimi¬ 
nate  extraction  at  the  cost  of  introducing  new  variables.  We 
refer  to  this  process  as  slicing ,  and  it  is  desirable  to  avoid  it 
whenever  possible.  Intuitively,  repeated  slicing  moves  from 
the  bit-vector  abstraction  to  the  bit-level,  and  in  the  worse 
case,  each  bit  must  be  considered.  Section  4  provides  one 
illustration  of  how  slicing  can  be  avoided.  Rules  (4)  and  (5) 
show  how  to  eliminate  extraction  when  applied  to  a  bitplus 
expression,  and  (6)  and  (7)  show  how  to  ‘‘flatten”  bitplus 
expressions  to  ensure  that  other  bitplus  expressions  do  not 
appear  as  subexpressions. 

However,  a  canonical  form  cannot  always  be  obtained  by 
simple  transformations  (as  we  would  expect  given  the  fact 
that  the  general  problem  is  NP-hard).  The  difficulty  comes 
from  the  interaction  of  extraction  and  addition.  Consider 
the  following  two  expressions. 

{8  •  *(„]  +[4]  7)  [2] 


(a![3]  +[4]  y[3])[3] 

In  the  first  case,  it  is  desirable  to  push  the  extraction  inside 
the  bitplus  expression  which  will  result  in  l[i].  However,  in 
the  second  case,  there  is  no  way  to  represent  the  result  of 
pushing  the  extraction  inside  the  bitplus,  because  the  result 
depends  on  whether  adding  x  and  y  overflows  into  the  fourth 
(most  significant)  bit.  To  deal  with  such  cases,  we  introduce 
a  new  overflow  operator,  OYF^^.j]  which  represents  bits  i 
through  j  of  the  sum  of  its  operands.  Using  this  operator, 
we  can  rewrite  the  second  expression  above  as 

(iP[3]  +[4]  y[3])[3]  =  OVF[3.3](x,y). 

We  define  overflow  for  the  general  case  as  follows: 

QVF[<.^|(xo[nol  ♦  •  =  i^O[no]  +[t+ll  ‘  ‘  ’  3:fc[nfcl)[*  = 

Whenever  the  overflow  operator  is  applied,  the  expression  is 
first  checked  using  a  simple  algorithm  to  see  if  it  is  equivalent 
to  a  concatenation  of  variables  or  their  negations.  If  it  is, 
then  the  appropriate  bits  are  extracted  and  then  converted 
back  into  a  bitplus  expression,  for  example, 

OVF [3;!]  (2  •  y(2]|9)  =  y[2]  +4. 

If  the  overflow  expression  cannot  be  written  in  a  simple  form 
as  above,  we  break  it  down  using  the  last  three  rules  shown 
in  Table  2. 

To  understand  rule  (8),  notice  that  OVF[,:j](x,y,2f)  and 
OVF(»,j](x,(y  z))  differ  by  exactly  OVF Rule 

(8)  is  the  generalization  of  this  property  which  we  use  to  split 
an  overflow  expression  with  k  arguments  into  two  overflow 
expressions  that  have  2  and  fc  —  1  arguments  respectively. 
This  rule  is  applied  repeatedly  until  all  overflow  expressions 
have  only  two  arguments.  Then  rule  (9)  is  applied  to  convert 
overflow  expressions  in  which  t  >  j  to  overflow  expressions 
in  which  i  =  j  (we  show  the  case  where  m>  j  and  n  >  jj 
but  the  other  cases  are  similar).  Finally,  rule  (10)  takes 
overflow  expressions  resulting  from  the  application  of  rule 

(9)  and  turns  them  into  non-atomic  expressions.  It  does  this 
by  making  use  of  the  ite  operator  which  is  used  in  SVC  to 


represent  all  Boolean  operations.  For  arbitrary  expressions, 
a,  13,  and  7, 

ite(a,^,7)  =  if  a  then  /3  else  7. 

The  intuition  behind  rule  (10)  is  that  we  are  simply  comput¬ 
ing  the  carry  bit  of  an  n-bit  adder.  If  the  most  significant 
bits  are  equal,  then  they  determine  and  are  equal  to  the 
carry  bit.  If  they  are  different,  then  the  carry  bit  is  prop¬ 
agated  from  other  n  —  1  bits.  The  use  of  the  ite  operator 
is  of  key  importance.  As  we  mentioned  earlier,  SVC  does 
not  require  a  canonical  form  for  non-atomic  expressions.  A 
canonical  form  would  require  expressing  the  full  logic  of  a 
ripple-carry  adder  and  would  require  looking  at  all  the  bits 
of  the  arguments.  But  the  decomposition  we  have  given  is 
incremental,  suspended  until  SVC  does  a  case-split  on  the 
equality  of  the  most  significant  bits.  If  they  are  unequal, 
SVC  will  slice  off  the  next  most  significant  bits.  In  the  worst 
case,  we  will  have  to  look  at  every  bit.  But  the  incremental 
approach  will  avoid  this  unless  absolutely  necessary. 

3.2  Solver 

The  other  main  contribution  of  this  paper  is  a  solver  for 
equations  involving  bit- vector  operations.  The  requirements 
for  the  solver  are  very  similar  to  those  of  the  canonizer.  In 
fact,  the  solver  can  be  viewed  as  a  canonizer  for  equations. 
In  SVC,  canonical  equations  are  required  to  have  the  most 
complex  variable  or  uninterpreted  function  isolated  on  the 
left-hand  side,  with  the  rest  of  the  terms  on  the  right-hand 
side.  Complexity  is  defined  by  a  total  ordering  on  expres¬ 
sions  (see  [2]).  In  the  case  of  bit- vectors,  we  arrange  for 
longer  bit-vectors  to  be  more  complex  than  shorter  ones,  so 
that  we  solve  for  the  longest  bit- vector  in  the  equation.  This 
avoids  slicing  bit-vectors  unnecessarily.  In  general,  we  must 
be  able  to  solve  arbitrary  equations  of  the  form 

ao  ‘  Xo  H-[n]  •  ‘  *  dp  •  Xp  =  ho  ^  yo  -^[n]  •  •  •  bq  -yq. 

Using  arithmetic  modulo  2”,  we  can  easily  isolate  the  most 
complex  variable,  say  Z[m] ,  with  coefficient  c  on  the  left-hand 
side.  The  resulting  equation  has  the  following  form: 

c  •  Zlm]  =  do  ■  ti;o(mol  +[n]  '  ’  ’  dj  ■  Wj 

Now,  we  must  eliminate  c  in  order  to  isolate  z.  If  c  is  odd, 
we  can  do  this  by  finding  its  multiplicative  inverse,  which  is 
for  some  k  <  n  —  2.  We  explain  briefly  why  this  is 
true.  It  is  well-known  [7]  that  the  set  of  all  positive  integers 
less  than  and  relatively  prime  to  some  positive  integer  p 
forms  a  group  imder  multiplication  modulo  p,  denoted  U{p). 
In  particular,  when  p  =  2",  every  odd  positive  integer  less 
than  p  is  in  U{p).  Furthermore,  17(2")  is  isomorphic  to 
the  (external)  direct  product  of  the  cyclic  groups  of  order 
2  and  2"“^,  which  means  that  each  element  of  1/(2")'  has 
order  2*  for  some  k  <  2"”^.  Thus,  if  c  is  odd,  there  exists 
k  <n  — 2  such  that  =1  modulo  2",  and  it  follows  that 
the  inverse  is  To  find  the  inverse  i  of  c,  we  use  the 

simple  algorithm  shown  in  Figure  1. 

Thus,  finding  the  inverse  of  c  requires  at  most  2(n  — 
2)  n-bit  multiplies,  and  assuming  uniform  distribution,  the 
expected  number  of  multiplies  is  about  2(n  —  3).  In  the 
examples  we  have  done,  however,  the  coefficient  is  almost 
always  either  1  or  2"  —  1,  so  the  actual  average  number 
of  multiplications  is  actually  much  less  (between  0  and  2). 
After  calculating  the  inverse,  we  simply  multiply  all  terms 


i  :=  c; 

while  (c  ^  1)  do  begin 
c  :»  (c  X  c)  mod  2"n; 
i  :=  (i  X  c)  mod  2''n; 
end 

Figure  1:  Algorithm  to  find  the  multiplicitive  inverse  of  c. 

in  the  equation  by  the  inverse  and  the  resulting  equation 
will  have  Z[m]  alone  on  the  left-hand  side. 

Suppose  on  the  other  hand  that  c  is  even.  Then  we  can 
write  c  =  2*  •  6  for  some  k>l  and  b  odd.  We  can  then  split 
the  equation  into  two  equations  as  follows: 

b^z  =  (do 'Wo  +[ni  ’•*  dj  •Wj)[n— 1  :  k]  and 
0[k]  =  do 'Wo  +[ifc]  •"  dj'Wj. 

The  first  equation  can  now  be  solved  by  calculating  the  in¬ 
verse  of  b.  Furthermore,  though  we  will  have  to  repeat  the 
canonization  process  on  the  second  equation,  we  have  elimi¬ 
nated  z  from  it  without  adding  any  variables,  ensuring  that 
the  process  will  terminate. 

Once  we  have  an  equation  of  the  form 

^[m]  —  Co- Wo  +[nl  *  *  '  Cj  '  Wj , 

there  is  one  final  step  if  m  <  n  (which  is  possible  since, 
as  mentioned  in  Th^ble  1,  we  do  not  put  any  restrictions  on 
the  bit-widths  of  variables  appearing  in  bitplus  expressions). 
In  this  case,  we  know  that  the  most  significant  bits  of  the 
right-hand  side  of  the  equation  must  be  zero.  So  as  above, 
we  split  it  into  two  equations: 

^[m]  =  Co 'WO  +[t7i]  ’  •  ■  Cj  'Wj  and 
Oin-m)  =  (co  -tuo  +[«)  ■  ■  ■  Cj  ■  Wj)[n  -  1  :  m]. 

Again,  we  may  have  to  canonize  the  second  equation.  Even¬ 
tually,  though,  our  initial  equation  will  be  transformed  into 
a  conjunction  of  equations,  each  solved  for  a  different  vari¬ 
able.  We  have  found  that  it  is  very  desirable  for  efficiency 
to  transform  these  equations  (via  substitution)  so  that  vari¬ 
ables  appearing  on  the  left-hand  side  do  not  appear  in  the 
right-hand  sides  of  any  of  the  other  equations. 

4  Avoiding  Bit- Slicing 

As  previously  mentioned,  whenever  part  of  a  bit-vector  vari¬ 
able  is  extracted,  that  bit-vector  is  sliced  into  several  parts, 
which  reduces  the  level  of  abstraction  and  is  thus  to  be 
avoided  if  possible.  Our  initial  implementation  of  bit- vectors 
was  based  on  the  work  done  by  Cyrluk  et  al.  in  [6].  However, 
our  decision  to  use  bitplus  expressions  as  oiu*  internal  rep¬ 
resentation  was  a  significant  departure  from  their  method. 
As  a  result,  we  were  able  to  increase  the  range  of  arithmetic 
examples  which  can  be  verified  automatically. 

However,  it  turns  out  that  for  some  examples,  even  the 
original  core  theory  of  concatenation  and  extraction  benefits 
from  this  change  in  the  internal  representation.  This  is  be¬ 
cause  bit-slicing  can  be  avoided  in  many  cases.  Suppose  w 
is  a  bit-vector  of  size  n  and  consider  the  following  example: 

w[n  —  1:1]=  w[n  —  2:0]  w[n  —  1]  =  tu[0] 

In  order  to  canonize  this  formula,  the  decision  procedure  of 
Cyrluk  et  al.  generates  a  new  variable  for  every  bit  of  lu. 


0 

II 

((x[n-l:l]  +  l)  0  0[„) 

=  x  +  2) 

(1) 

(a:[0]  =  1) 

((x  +  (-l)[„i)[n  -1:1] 

=  x[n  —  1:1]) 

(2) 

NOT  {(x  + y +(-!),„, )[0]) 

=  (x  +  y)[0] 

(3) 

((2"  -  2)  •  X[„_i]  +[„]  (-l)[„))[n  -1:1] 

=  NOT  X[„_ii 

(4) 

(yin  °  *rn-2i  +W  i)[n-i] 

=  (a:[n-2]  +W  »[!])[» -2] 

(5) 

Figure  2:  Bit- Vector  Arithmetic  Verification  Examples,  x  and  y  are  bit-vectors  of  size  n  unless  otherwise  specified. 


resulting  in  a  conjunction  of  n  equations: 

=  tyn-2)  A 

{Wn-2  =  Wn-3)  A 

(u;i  =  t(Jo)  A 
(W  =  tUn-l  O  tyn-2  •  •  •  t/Jo) 

where  each  Wi  is  a  new  bit-vector  of  length  one.  Using  our 
canonizer,  only  the  most  and  least  significant  bits  are  sliced, 
resulting  in  the  following  two  equations: 

(2""^-ar[i]  -|-[n-l]  y[n-2]  =  2-y(„_2j  +[n~l]  ^[1])  A 

(lu  =:  a;[i]  o^[i]) 

We  then  invoke  the  solver  and  end  up  with: 

(y[n-2]  =  {-l)[n-2]  *  Z[i])  A 

(arjij  z=  Z[i])  A 

(tu  =  X[i]  o  y[n.2]  °  Z[1]) 

Thus,  instead  of  producing  n  equations,  we  produce  only 
three.  The  information  from  the  other  equations  is  stored 
in  the  coefficients.  Most  of  w  remains  as  an  abstract  bit- 
vector. 

5  Results 

The  examples  shown  in  Figure  2  demonstrate  the  kinds  of 
formulas  which  caji  be  verified  using  the  methods  described 
above.  Formulas  (1)  through  (3)  are  small  pieces  of  much 
larger  formulas  from  processor  verification,  and  (4)  and  (5) 
are  simply  test  benchmarks  which  we  feel  are  representar 
tive  of  the  complexity  of  the  general  problem.  In  general, 
SVC  must  solve  many  such  small  problems,  as  well  as  sim¬ 
ilar  problems  in  other  theories,  as  part  of  proving  a  larger 
formula. 

Examples  three  through  five  are  easily  verified  using  only 
the  SVC  canonizer.  These  examples  can  also  be  verified 
using  *BMDs  (in  contrast,  the  first  two  examples  cannot 
be  directly  verified  using  only  *BMDs  because  they  include 
Boolean  connectives).  In  Table  3,  the  column  labeled  “SVC” 
shows  the  time  required  to  verify  these  examples  running 
SVC  on  a  200  MHz  Pentium  Pro.  The  second  column  shows 
the  time  required  to  verify  the  same  property  on  the  same 
machine  using  the  *BMD  package  from  Bryant  and  Chen 
[3].  The  third  column  shows  the  time  required  on  a  300  MHz 
UltraSparc-30  using  Laurent  Arditi’s  *BMD  implementation 
which  has  special  support  for  bit-vector  and  Boolean  oper¬ 
ations  [1].  For  the  two  *BMD  packages,  the  examples  were 
run  with  four  typical  variable  orderings  and  the  best  time 
for  each  example  is  reported.  In  order  to  better  compare  the 


Example 

n 

SVC 

*BMD  1 

*BMD  2 

1 

32 

2 

N/A 

40 

2 

32 

2 

N/A 

1100 

3 

8 

2 

440 

30 

3 

16 

2 

265000 

70 

3 

32 

2 

>  500000 

180 

4 

8 

2 

112 

80 

4 

16 

2 

26400 

720 

4 

32 

2 

>  500000 

8790 

5 

8 

30 

95 

60 

5 

16 

111 

22700 

390 

5 

32 

520 

>  500000 

3780 

A 

32 

0.2  1 

32 

80 

Table  3:  Results  on  Bit- Vector  Arithmetic  Verification  Ex¬ 
amples.  Times  are  in  milliseconds.  Examples  1  through  5 
are  from  Tb.ble  2.  Example  A  is  the  expression  X[„]  4-  !/[«]• 


two  different  *BMD  implementations,  a  simple  n-bit  adder 
example  was  also  done  and  the  result  is  listed  as  example  A. 

Several  important  observations  can  be  made  from  these 
data.  First,  it  is  clear  that  *BMDs  benefit  greatly  from 
the  special-purpose  algorithms  in  Arditi’s  implementation. 
Prom  example  A,  which  does  not  use  the  special-purpose 
algorithms,  it  also  seems  clear  that  Arditi’s  package  could 
benefit  further  from  implementation  in  a  lower-level  lan¬ 
guage  (Bryant  and  Chen’s  package  is  in  C,  whereas  Arditi’s 
package  is  in  Scheme).  However,  even  given  these  possible 
improvements,  SVC  would  still  outperform  *BMDs  on  all 
examples  with  the  possible  exception  of  example  5  (which 
we  will  come  back  to  in  a  moment).  More  importantly,  the 
performance  of  SVC  is  the  same  despite  increasing  bit  width 
on  two  out  of  three  of  the  examples.  The  reason  for  this  is 
that  SVC  is  able  to  maintain  its  bit-vector  abstraction  in 
these  examples  and  thus  does  not  need  to  consider  each  bit 
individually. 

The  reason  SVC  does  poorly  in  example  5  is  that  it  ends 
up  slicing  X  and  thus  the  execution  time  depends  on  the 
number  of  bits  in  x.  However,  if  SVC  were  to  split  on  y 
instead,  it  could  avoid  slicing  x.  This  is  a  problem  similar 
to  variable  ordering  in  *BMDs.  We  were  able  to  write  a 
slightly  modified  version  of  example  5  which  forced  SVC  to 
split  on  y  first.  The  result  was  an  execution  time  of  less 
than  10  ms  independent  of  bit-width.  One  of  the  areas  of 
ongoing  research  in  SVC  is  how  to  automatically  choose  the 
best  variables  for  case-splitting. 

The  primary  application  for  SVC  is  microprocessor  ver¬ 
ification.  As  mentioned  above,  we  are  currently  applying  it 
to  the  TORCH  microprocessor  [11].  Table  4  shows  the  times 
required  to  verify  several  formulas  from  this  effort.  These 
formulas  are  large  and  require  cooperating  decision  proce¬ 
dures  from  several  theories  including  the  bit-vector  theory 


Example 

Size  (KB) 

Case  Splits 

Time  (s) 

PCUnitDataPath 

29 

1254 

1.67 

TbkenBranch 

31 

38 

0.15 

IFetchControl 

65 

29676 

24.1 

IFetchPC 

42 

69374 

317 

Table  4:  TORCH  Microprocessor  Verification  Examples. 
Time  is  in  seconds 

(thus  they  cannot  be  verified  using  *BMDs  alone  and  a  di¬ 
rect  comparison  cannot  be  made).  The  first  example,  PCU- 
nitDataPath,  verifies  that  the  program  counter  is  calculated 
correctly.  The  second  example,  TbJcenBranch,  verifies  that 
the  hardware  correctly  identifies  when  a  conditional  branch 
should  be  taken.  The  last  two  examples  verify  various  prop¬ 
erties  of  the  instruction  fetch  unit.  For  each  example,  we 
show  the  size  of  the  formula,  the  total  number  of  case  splits, 
and  the  time  required  to  verify  the  formula.  We  would  be 
unable  to  automatically  verify  these  formulas  without  the 
bit-vector  decision  procedure. 

6  Conclusions 

Our  method  for  dealing  with  bit- vector  arithmetic  has  many 
advantages.  First,  it  is  complete  and  automatic,  and  al¬ 
though  the  complexity  of  the  problem  dictates  that  there  are 
examples  for  which  it  will  be  exponentially  slow,  it  is  efficient 
on  the  examples  we  have  encountered  so  far.  Second,  we 
reason  at  the  word-level  and  avoid  slicing  bit-vectors  when¬ 
ever  possible.  This  avoids  some  of  the  blow-ups  in  time  and 
space  experienced  by  other  methods.  Finally,  our  method 
is  easy  to  implement  and  integrate  into  an  environment  of 
cooperating  decision  procedures  such  as  that  found  in  SVC. 

As  we  have  seen,  one  limitation  of  SVC  is  that  the  choice 
of  which  variable  to  split  on  can  greatly  inffuence  its  effi¬ 
ciency.  Additionally,  there  is  no  way  to  represent  non-linear 
multiplication  of  bit- vectors  directly  as  there  is  with  *BMDs. 
There  is  also  currently  no  way  to  reason  about  bit- vectors  of 
unknown  size.  We  are  working  on  addressing  some  of  these 
limitations.  For  example,  we  have  implemented  a  couple 
of  automatic  learning  strategies  for  choosing  splitters  which 
dramatically  increase  the  efficiency  of  many  examples. 

Some  areas  of  future  research  include  finding  an  efficient 
abstraction  for  Boolean  bit-vector  operations  and  finding 
more  efficient  ways  of  dealing  with  the  overffow  operator. 
We  would  also  like  to  explore  extensions  to  bit-vectors  of 
unknown  size  and  variable  extraction  indices,  as  well  as  non¬ 
linear  arithmetic.  We  intend  to  continue  to  use  SVC  in  our 
verification  of  TORCH  and  expect  that  it  will  continue  to 
develop  towards  an  important  and  powerful  tool  for  auto¬ 
matic  hardware  verification. 
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